Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0487 Security Bulletin: Multiple vulnerabilities impact IBM Aspera Products 12 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Aspera High-Speed Transfer Server IBM Aspera High-Speed Transfer Client IBM Aspera Desktop Client IBM Aspera High-Speed Transfer Endpoint Publisher: IBM Operating System: Linux variants Windows Mac OS Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Create Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-5443 CVE-2019-1559 CVE-2019-1552 CVE-2018-0734 Reference: ASB-2020.0025 ASB-2020.0017 ESB-2020.0314 ESB-2020.0267 Original Bulletin: https://www.ibm.com/support/pages/node/1126581 https://www.ibm.com/support/pages/node/2027745 https://www.ibm.com/support/pages/node/2020677 https://www.ibm.com/support/pages/node/2016771 - --------------------------BEGIN INCLUDED TEXT-------------------- Curl vulnerabilities CVE-2019-5443 impact IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier Security Bulletin Summary Curl vulnerabilities CVE-2019-5443 impact IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier. The fix is delivered in version 3.9.3. Vulnerability Details CVEID: CVE-2019-5443 DESCRIPTION: A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants. CVSS Base score: 7.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162844 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +---------------------------------------+-----------------+ |Affected Product(s) |Version(s) | +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera Desktop Client |3.9.1 and earlier| +---------------------------------------+-----------------+ Remediation/Fixes The fix is delivered in version 3.9.6 of IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client Workarounds and Mitigations None - -------------------------------------------------------------------------------- OpenSSL vulnerabilites (CVE-2019-1552) impacting IBM Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.1 and earlier Security Bulletin Summary OpenSSL vulnerabilites impacting IBM Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.1, Aspera Connect 3.7.4 and earlier (CVE-2019-1552). The vulnerabilities are fixed in IBM Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.6, and Aspera Connect 3.9.8. Vulnerability Details CVEID: CVE-2019-1552 DESCRIPTION: OpenSSL could allow a local attacker to bypass security restrictions, caused by the building of . mingw programs or Windows programs with world writable path defaults. An attacker could exploit this vulnerability to modify default configuration, insert CA certificates, modify (or even replace) existing engine modules. CVSS Base score: 2.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 164498 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +---------------------------------------+-----------------+ |Affected Product(s) |Version(s) | +---------------------------------------+-----------------+ |IBM Aspera Desktop Client |3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera Connect |3.7.4 and earlier| +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ +---------------------------------------+-----------------+ Remediation/Fixes +---------------------------------------+----------+ |Affected Product(s) |Version(s)| +---------------------------------------+----------+ |IBM Aspera Desktop Client |3.9.6 | +---------------------------------------+----------+ |IBM Aspera High-Speed Transfer Server |3.9.6 | +---------------------------------------+----------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.6 | +---------------------------------------+----------+ |Connect |3.9.8 | +---------------------------------------+----------+ +---------------------------------------+----------+ +---------------------------------------+----------+ +---------------------------------------+----------+ +---------------------------------------+----------+ +---------------------------------------+----------+ +---------------------------------------+----------+ Workarounds and Mitigations None - -------------------------------------------------------------------------------- OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2018-0734) Security Bulletin Summary The OpenSSL vulnerabilities CVE-2018-0734 impact Aspera High-Speed Transfer Server 3.9.1 and earlier, Aspera Desktop Client 3.9.1 and earlier. The fix is delivered in Aspera High-Speed Transfer Server 3.9.3, Aspera Desktop Client 3.9.3. Vulnerability Details CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152085 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +---------------------------------------+-----------------+ |Affected Product(s) |Version(s) | +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera Desktop Client |3.9.1 and earlier| +---------------------------------------+-----------------+ Remediation/Fixes +---------------------------------------+-----------------+ |Affected Product(s) |Fix in Version(s)| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.6 | +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.6 | +---------------------------------------+-----------------+ |IBM Desktop Client |3.9.6 | +---------------------------------------+-----------------+ Workarounds and Mitigations None - -------------------------------------------------------------------------------- OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2019-1559) Security Bulletin Summary The OpenSSL vulnerabilities CVE-2019-1559 impact Aspera High-Speed Transfer Server 3.9.1 and earlier, Aspera Desktop Client 3.9.1 and earlier. The fix is delivered in Aspera High-Speed Transfer Server 3.9.3, Aspera Desktop Client 3.9.3. Vulnerability Details CVEID: CVE-2019-1559 DESCRIPTION: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVSS Base score: 5.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) Affected Products and Versions +---------------------------------------+-----------------+ |Affected Product(s) |Version(s) | +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.1 and earlier| +---------------------------------------+-----------------+ |IBM Aspera Desktop Client |3.9.1 and earlier| +---------------------------------------+-----------------+ Remediation/Fixes +---------------------------------------+-----------------+ |Affected Product(s) |Fix in Version(s)| +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Server |3.9.6 | +---------------------------------------+-----------------+ |IBM Aspera High-Speed Transfer Endpoint|3.9.6 | +---------------------------------------+-----------------+ |IBM Aspera Desktop Client |3.9.6 | +---------------------------------------+-----------------+ Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXkOKgmaOgq3Tt24GAQhqFg/+MkU4c9GRsf9h5YSjdg5bpMjoTT7b/egA zUqHZhDz92nHfPAY2lhiFdmK/IhyNM4ssy6dGxPovksD7U3gW6tVnLv51zKcoLCB pTcNmIBSkWxO+mnqcEJkoMm+7HuDuP5VKEc73uyMjR2zpahjzV7x1olH5DX98IE7 hhCmu4jDSUW28PYxOSHu1kx+a8wor3+2cpaCjMpJCk8O7Cs3iQoyUlsYnHhYHau5 y1PH9XRHuRp0/ZNDAO+3KRifdivZu+ar9nTSSoDSKWbqqywz/IWoDWiYzwcabW4/ OIMQVHEwZJl55NPmxlaMj+aY4MAmtQSlO4KsdVKOARkaXXgLAmN5uC1gaqBmThTq q6HwSJMV5e6yKHX8+o1Q6LboFZpQn8+i681WAcg1z2NRFNyGCW3GAowcdKOl5aLs MOLiDeqJ8NndsXa/qJLuny4CkLbGc95LKudDHaQdFuAC7ML7Zx/amn7+3fZu/OSH g98gsZjiFfhlwDGLDcXu2QgClYvqnm7VU8chtLMmNr+Ql6N9ZY7uEUE/nAe9HMkj ax7rlDSG7RrsSFENGo8lCRJjW1+LOfJRAX7Vi1fWwK0A9xMavYhLSUNrzqFayham UNWmaSwduO221VwOrb8d4SkIEuhXugDW9ne3jtwsumLc7CO6NZ72mJNjitex2wXY 4AbHaEhZHAs= =Ke8n -----END PGP SIGNATURE-----